This policy aims to ensure the protection of personal information and to define the procedures for the collection, use, communication, retention, destruction, and management of information by Gestion Informatique SRPG, including management, employees, suppliers, etc. Additionally, it aims to inform all concerned individuals about the processing of their personal information by Gestion Informatique SRPG, whether they are clients, employees, or any other persons.
RESPONSIBILITY
SRPG is committed to meeting all requirements related to the protection, collection, use, disclosure, and retention of personal information under the law. The information collected, used, communicated, retained, or destroyed is governed by this policy to protect the privacy of all individuals. To ensure optimal protection of personal information, the person responsible for the protection of information at Gestion Informatique SRPG must:
• Supervise and review internal practices and procedures for handling personal information and compliance with current laws;
• Suggest measures to ensure the continuous protection of personal information in line with privacy impact assessments;
• Implement necessary measures within the company to ensure the protection of information;
• Ensure compliance and training of staff on best practices for protecting personal information;
• Coordinate, investigate, and respond to requests and complaints related to the protection of personal information;
• Communicate with the concerned individuals and the Commission d’accès à l’information (CAI) in the event of a data breach or any incident;
• Maintain a record of incidents related to personal data.
The protection of personal information is everyone's responsibility. No reprisals can be made against an individual who files a complaint related to the protection of personal information or participates in a CAI investigation procedure.
COLLECTION OF PERSONAL INFORMATION
The personal information collected allows Gestion Informatique SRPG to perform its functions and conduct its activities in accordance with applicable laws and standards. Gestion Informatique SRPG collects personal information only when necessary and for specific,
predefined purposes. The collection of personal information is done directly from the concerned individual and with their consent, unless an exception is provided by law. Most of the personal information collected concerns employees to meet the company's legal obligations. The communication of personal information of other individuals may be requested to assist employees in case of emergency, for example. It is the responsibility of employees to obtain their consent before providing their contact details. Regarding client information, data is provided to feed our CRM, contracts, and billing, but it is mostly professional or business information such as email and phone number for contact or payment method for services rendered. Payment information is entered, whenever possible, by the client into the CRM and is masked for the rest of the company's members to ensure confidentiality. For clients who have filled out a form including their credit card or business or professional bank account number, the data is accessible only by a small number of employees such as administration and owners to process the files.
CONSENT AND ACCURACY OF PERSONAL INFORMATION
Gestion Informatique SRPG ensures that the collection of personal information is done for justified, clear, and specific reasons and with the free and informed consent of the individual. Consent is required for any collection, use, or disclosure of personal information. Before collecting personal information, we will ensure to obtain your informed consent in writing and separately, providing clear details on the purpose of the collection and how the information will be used. Your consent is essential to ensure the protection of your personal data.
LIMITATION OF THE USE OF PERSONAL INFORMATION
We collect and use your personal information only when necessary and for the purposes for which consent has been obtained. Gestion Informatique SRPG must provide certain information to meet legal and regulatory verification processes and requirements. Information may be transmitted to third parties as necessary for internal activities. Gestion Informatique SRPG cannot be held responsible for the behavior and use undertaken by third parties. Personal information will not be used or disclosed for other purposes unless required by law.
PROTECTION OF YOUR PERSONAL INFORMATION
Gestion Informatique SRPG takes all reasonable precautions and has implemented significant physical and technical measures to prevent unauthorized or illegal use and access to personal information. The measures in place include, among others: • Use of information only when necessary; • Ensuring the confidentiality and protection of personal information that an individual may have become aware of in the course of their duties, unless authorized to disclose it by the concerned person; • Protection of records with selective and limited access to authorized persons; • Securing office access with locked doors and access codes; • Secure shredding of paper records; • Two-factor authentication for all platform logins; • Immediate removal of access following the end of a business relationship. All individuals are required to contribute to the protection of personal information. If you suspect that sensitive information has been compromised, you must immediately notify the person responsible for the protection of personal information.
RETENTION PERIOD OF YOUR PERSONAL INFORMATION
Unless a minimum retention period is required by applicable law or regulation, Gestion Informatique SRPG will retain personal information only for the duration necessary to achieve the purposes for which it was collected. Personal information used by SRPG to make a decision about an individual must be retained for at least one year following the decision or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, in the case of employment termination circumstances. At the end of the retention period or when personal information is no longer needed, Gestion Informatique SRPG will ensure to: 1. Destroy it; or 2. Anonymize it (i.e., make it irreversibly unidentifiable so that it is no longer possible to link the information to the individual) for serious and legitimate purposes. The destruction of information by Gestion Informatique SRPG must be done securely to ensure the protection of this information. This section may be supplemented by any policy or procedure adopted by Gestion Informatique SRPG regarding the retention and destruction of personal information, if applicable. Please contact the person responsible for the protection of personal information at Gestion Informatique SRPG (indicated in this policy) for more information.
COMMITMENT TO TRANSPARENCY
Gestion Informatique SRPG is committed to being transparent about the processing, procedures, and purposes of using personal information with clients, employees, interns, and business partners.
ACCESS TO YOUR PERSONAL INFORMATION
An individual can request access to personal information concerning them and the means used to collect it. Depending on the content of the individual's file, exceptions may apply, such as personal information about others; however, the individual will be informed. In case of inaccurate information in the file, the concerned person can request a correction. For any consultation, withdrawal, and/or modification of personal information, you can write to the email address [email protected] . At any time, you can withdraw your consent to the communication of your personal information. A written request must be submitted to the person responsible for the protection of personal information at [email protected]. A response will be provided within 30 days from the date of receipt. When it is not possible to share the requested information, a legal justification and support will be provided to support the decision to the requester.
FILING A COMPLAINT
An individual who believes that their personal information has been collected, retained, used, disclosed, or destroyed in a manner that does not comply with the provisions of this policy may file a confidential complaint with the person responsible for the protection of personal information at the email address [email protected]. The individual must provide their name, contact information, including a phone number, as well as the subject and reasons for the complaint. Sufficient details must be provided for the complaint to be properly assessed. A response will be provided within 30 days from the date of receipt of the complaint. If the complaint is insufficiently precise, the person responsible for the protection of personal information may request any additional information deemed necessary to assess the complaint. The responsible person will conduct an investigation into the complaints received, minimize damages, and make necessary corrections. It is also possible to file a complaint with the Commission d’accès à l’information du Québec. However, Gestion Informatique SRPG encourages concerned individuals to first communicate with the person responsible for the protection of personal information and to await the conclusion of the planned processing procedure.
APPROVAL
This policy is approved by the person responsible for the protection of personal information within Gestion Informatique SRPG.
Person responsible for the protection of personal information:
[email protected]
4930 Allée des Sorbiers Saint-Hubert (Québec) Canada J3Y 9C9
For any request, question, or comment regarding this policy, please contact the responsible person by email.
